The HIPAA security rule states that coved entities must undergo a risk assessment. The risk assessment process itself is a major undertaking for any organization, which may also include a gap analysis. The gap analysis helps the organization determine where they are as compared to the HIPAA standards and the risk assessment will determine the value of the organization's assets, analyze risks and threats against those assets, and recommend countermeasures and safeguards to reduce the risk to those assets. This book will provide greater detail on these topics, but covered entities should be prepared to budget for risk assessment, gap analysis and remediation plans. Organizations may choose to take on the task of risk and gap analysis or contract with a qualified third party to do it. In either case, there will be costs associated with these alternatives which will require a proposal and approval process. After the risk and gap analysis is complete, the organization will have a good idea of what it needs to do to become compliant. Plans for achieving compliance will be drawn up at this time. Funding the resources required to execute these plans will require drafting further proposals and approvals . As you can see, budgeting is not a single step in the process of achieving HIPAA compliance, but could potentially be an activity you will undertake several times as projects and remediation plans are executed.